Revision 5114d3eb
Added by Michael Moll about 8 years ago
files/lenses/test_trapperkeeper.aug | ||
---|---|---|
module Test_Trapperkeeper =
|
||
|
||
(* Variable: config *)
|
||
let config = "
|
||
# This is a comment
|
||
webserver: {
|
||
bar: {
|
||
# A comment
|
||
host: localhost
|
||
port= 9000
|
||
default-server: true
|
||
}
|
||
|
||
foo: {
|
||
host: localhost
|
||
port = 10000
|
||
}
|
||
}
|
||
|
||
jruby-puppet: {
|
||
# This setting determines where JRuby will look for gems. It is also
|
||
# used by the `puppetserver gem` command line tool.
|
||
gem-home: /var/lib/puppet/jruby-gems
|
||
|
||
# (optional) path to puppet conf dir; if not specified, will use the puppet default
|
||
master-conf-dir: /etc/puppet
|
||
|
||
# (optional) path to puppet var dir; if not specified, will use the puppet default
|
||
master-var-dir: /var/lib/puppet
|
||
|
||
# (optional) maximum number of JRuby instances to allow; defaults to <num-cpus>+2
|
||
#max-active-instances: 1
|
||
}
|
||
|
||
|
||
# CA-related settings
|
||
certificate-authority: {
|
||
|
||
# settings for the certificate_status HTTP endpoint
|
||
certificate-status: {
|
||
|
||
# this setting contains a list of client certnames who are whitelisted to
|
||
# have access to the certificate_status endpoint. Any requests made to
|
||
# this endpoint that do not present a valid client cert mentioned in
|
||
# this list will be denied access.
|
||
client-whitelist: []
|
||
}
|
||
}
|
||
|
||
os-settings: {
|
||
ruby-load-path: [/usr/lib/ruby/vendor_ruby, /home/foo/ruby ]
|
||
}
|
||
\n"
|
||
|
||
(* Test: Trapperkeeper.lns
|
||
Test full config file *)
|
||
test Trapperkeeper.lns get config =
|
||
{ }
|
||
{ "#comment" = "This is a comment" }
|
||
{ "@hash" = "webserver"
|
||
{ "@hash" = "bar"
|
||
{ "#comment" = "A comment" }
|
||
{ "@simple" = "host" { "@value" = "localhost" } }
|
||
{ "@simple" = "port" { "@value" = "9000" } }
|
||
{ "@simple" = "default-server" { "@value" = "true" } }
|
||
}
|
||
{ }
|
||
{ "@hash" = "foo"
|
||
{ "@simple" = "host" { "@value" = "localhost" } }
|
||
{ "@simple" = "port" { "@value" = "10000" } }
|
||
}
|
||
}
|
||
{ }
|
||
{ "@hash" = "jruby-puppet"
|
||
{ "#comment" = "This setting determines where JRuby will look for gems. It is also" }
|
||
{ "#comment" = "used by the `puppetserver gem` command line tool." }
|
||
{ "@simple" = "gem-home" { "@value" = "/var/lib/puppet/jruby-gems" } }
|
||
{ }
|
||
{ "#comment" = "(optional) path to puppet conf dir; if not specified, will use the puppet default" }
|
||
{ "@simple" = "master-conf-dir" { "@value" = "/etc/puppet" } }
|
||
{ }
|
||
{ "#comment" = "(optional) path to puppet var dir; if not specified, will use the puppet default" }
|
||
{ "@simple" = "master-var-dir" { "@value" = "/var/lib/puppet" } }
|
||
{ }
|
||
{ "#comment" = "(optional) maximum number of JRuby instances to allow; defaults to <num-cpus>+2" }
|
||
{ "#comment" = "max-active-instances: 1" }
|
||
}
|
||
{ }
|
||
{ }
|
||
{ "#comment" = "CA-related settings" }
|
||
{ "@hash" = "certificate-authority"
|
||
{ "#comment" = "settings for the certificate_status HTTP endpoint" }
|
||
{ "@hash" = "certificate-status"
|
||
{ "#comment" = "this setting contains a list of client certnames who are whitelisted to" }
|
||
{ "#comment" = "have access to the certificate_status endpoint. Any requests made to" }
|
||
{ "#comment" = "this endpoint that do not present a valid client cert mentioned in" }
|
||
{ "#comment" = "this list will be denied access." }
|
||
{ "@array" = "client-whitelist" }
|
||
}
|
||
}
|
||
{ }
|
||
{ "@hash" = "os-settings"
|
||
{ "@array" = "ruby-load-path"
|
||
{ "1" = "/usr/lib/ruby/vendor_ruby" }
|
||
{ "2" = "/home/foo/ruby" }
|
||
}
|
||
}
|
||
{ }
|
||
|
||
|
||
(* Test: Trapperkeeper.lns
|
||
Should parse an empty file *)
|
||
test Trapperkeeper.lns get "\n" = {}
|
||
|
||
(* Test: Trapperkeeper.lns
|
||
Values can be quoted *)
|
||
test Trapperkeeper.lns get "os-settings: {
|
||
ruby-load-paths: [\"/usr/lib/ruby/site_ruby/1.8\"]
|
||
}\n" =
|
||
{ "@hash" = "os-settings"
|
||
{ "@array" = "ruby-load-paths"
|
||
{ "1" = "/usr/lib/ruby/site_ruby/1.8" }
|
||
}
|
||
}
|
||
|
||
(* Test: Trapperkeeper.lns
|
||
Keys can be quoted *)
|
||
test Trapperkeeper.lns get "test: {
|
||
\"x\": true
|
||
}\n" =
|
||
{ "@hash" = "test"
|
||
{ "@simple" = "x" { "@value" = "true" } } }
|
||
|
||
(* Test: Trapperkeeper.lns
|
||
Keys can contain /
|
||
test Trapperkeeper.lns get "test: {
|
||
\"x/y\" : z
|
||
}\n" =
|
||
{ "@hash" = "test"
|
||
{ "@simple" = "x/y" { "@value" = "z" } } }
|
||
*)
|
files/lenses/trapperkeeper.aug | ||
---|---|---|
(*
|
||
Module: Trapperkeeper
|
||
Parses Trapperkeeper configuration files
|
||
|
||
Author: Raphael Pinson <raphael.pinson@camptocamp.com>
|
||
|
||
About: License
|
||
This file is licenced under the LGPL v2+, like the rest of Augeas.
|
||
|
||
About: Lens Usage
|
||
To be documented
|
||
|
||
About: Configuration files
|
||
This lens applies to Trapperkeeper webservice configuration files. See <filter>.
|
||
|
||
About: Examples
|
||
The <Test_Trapperkeeper> file contains various examples and tests.
|
||
*)
|
||
module Trapperkeeper =
|
||
|
||
autoload xfm
|
||
|
||
(************************************************************************
|
||
* Group: USEFUL PRIMITIVES
|
||
*************************************************************************)
|
||
|
||
(* View: empty *)
|
||
let empty = Util.empty
|
||
|
||
(* View: comment *)
|
||
let comment = Util.comment
|
||
|
||
(* View: sep *)
|
||
let sep = del /[ \t]*[\/:=]/ ":"
|
||
|
||
(* View: sep_with_spc *)
|
||
let sep_with_spc = sep . Sep.opt_space
|
||
|
||
(************************************************************************
|
||
* Group: BLOCKS (FROM 1.2, FOR 0.10 COMPATIBILITY)
|
||
*************************************************************************)
|
||
|
||
(* Variable: block_ldelim_newlines_re *)
|
||
let block_ldelim_newlines_re = /[ \t\n]+\{([ \t\n]*\n)?/
|
||
|
||
(* Variable: block_rdelim_newlines_re *)
|
||
let block_rdelim_newlines_re = /[ \t]*\}/
|
||
|
||
(* Variable: block_ldelim_newlines_default *)
|
||
let block_ldelim_newlines_default = "\n{\n"
|
||
|
||
(* Variable: block_rdelim_newlines_default *)
|
||
let block_rdelim_newlines_default = "}"
|
||
|
||
(************************************************************************
|
||
* View: block_newline
|
||
* A block enclosed in brackets, with newlines forced
|
||
* and indentation defaulting to a tab.
|
||
*
|
||
* Parameters:
|
||
* entry:lens - the entry to be stored inside the block.
|
||
* This entry should not include <Util.empty>,
|
||
* <Util.comment> or <Util.comment_noindent>,
|
||
* should be indented and finish with an eol.
|
||
************************************************************************)
|
||
let block_newlines (entry:lens) (comment:lens) =
|
||
del block_ldelim_newlines_re block_ldelim_newlines_default
|
||
. ((entry | comment) . (Util.empty | entry | comment)*)?
|
||
. del block_rdelim_newlines_re block_rdelim_newlines_default
|
||
|
||
(************************************************************************
|
||
* Group: ENTRY TYPES
|
||
*************************************************************************)
|
||
|
||
let opt_dquot (lns:lens) = del /"?/ "" . lns . del /"?/ ""
|
||
|
||
(* View: simple *)
|
||
let simple = [ Util.indent . label "@simple" . opt_dquot (store /[A-Za-z0-9_.-]+/) . sep_with_spc
|
||
. [ label "@value" . opt_dquot (store /[^,"\[ \t\n]+/) ]
|
||
. Util.eol ]
|
||
|
||
(* View: array *)
|
||
let array =
|
||
let lbrack = Util.del_str "["
|
||
in let rbrack = Util.del_str "]"
|
||
in let opt_space = del /[ \t]*/ ""
|
||
in let comma = opt_space . Util.del_str "," . opt_space
|
||
in let elem = [ seq "elem" . opt_dquot (store /[^,"\[ \t\n]+/) ]
|
||
in let elems = counter "elem" . Build.opt_list elem comma
|
||
in [ Util.indent . label "@array" . store Rx.word
|
||
. sep_with_spc . lbrack . Sep.opt_space
|
||
. (elems . Sep.opt_space)?
|
||
. rbrack . Util.eol ]
|
||
|
||
(* View: hash *)
|
||
let hash (lns:lens) = [ Util.indent . label "@hash" . store Rx.word . sep
|
||
. block_newlines lns Util.comment
|
||
. Util.eol ]
|
||
|
||
|
||
(************************************************************************
|
||
* Group: ENTRY
|
||
*************************************************************************)
|
||
|
||
(* Just for typechecking *)
|
||
let entry_hash_no_rec = hash (simple|array)
|
||
|
||
let entry_simple_no_rec = simple
|
||
|
||
(* View: entry_hash *)
|
||
let rec entry_hash = hash (entry_hash|simple|array)
|
||
|
||
(* View: entry_simple *)
|
||
let rec entry_simple = simple
|
||
|
||
(************************************************************************
|
||
* Group: LENS AND FILTER
|
||
*************************************************************************)
|
||
|
||
(* View: lns *)
|
||
let lns = (empty|comment)* . ((entry_hash|entry_simple) . (empty|comment)*)*
|
||
|
||
(* Variable: filter *)
|
||
let filter = incl "/etc/puppetserver/conf.d/*"
|
||
. incl "/etc/puppetlabs/puppetserver/conf.d/*"
|
||
. Util.stdexcl
|
||
|
||
let xfm = transform lns filter
|
manifests/init.pp | ||
---|---|---|
# disable in case CA is delegated to a separate instance
|
||
# type:boolean
|
||
#
|
||
# $server_lenses_dir:: The path of the augeas lenses directory
|
||
# type:string
|
||
#
|
||
# $server_puppetserver_dir:: The path of the puppetserver config dir
|
||
# type:string
|
||
#
|
||
... | ... | |
$server_jvm_min_heap_size = $puppet::params::server_jvm_min_heap_size,
|
||
$server_jvm_max_heap_size = $puppet::params::server_jvm_max_heap_size,
|
||
$server_jvm_extra_args = $puppet::params::server_jvm_extra_args,
|
||
$server_lenses_dir = $puppet::params::server_lenses_dir,
|
||
$server_jruby_gem_home = $puppet::params::server_jruby_gem_home,
|
||
$server_max_active_instances = $puppet::params::server_max_active_instances,
|
||
) inherits puppet::params {
|
||
... | ... | |
if $server_implementation == 'puppetserver' {
|
||
validate_re($server_jvm_min_heap_size, '^[0-9]+[kKmMgG]$')
|
||
validate_re($server_jvm_max_heap_size, '^[0-9]+[kKmMgG]$')
|
||
validate_absolute_path($server_lenses_dir)
|
||
validate_absolute_path($server_puppetserver_dir)
|
||
validate_absolute_path($server_jruby_gem_home)
|
||
validate_integer($server_max_active_instances)
|
manifests/params.pp | ||
---|---|---|
$sharedir = "${dir_prefix}/share"
|
||
$bindir = "${dir_prefix}/bin"
|
||
$root_group = undef
|
||
$server_lenses_dir = "${dir_prefix}/share/augeas/lenses"
|
||
}
|
||
|
||
/^(FreeBSD|DragonFly)$/ : {
|
||
... | ... | |
$sharedir = '/usr/local/share/puppet'
|
||
$bindir = '/usr/local/bin'
|
||
$root_group = undef
|
||
$server_lenses_dir = '/usr/local/share/augeas/lenses'
|
||
}
|
||
|
||
default : {
|
||
... | ... | |
$vardir = '/opt/puppetlabs/puppet/cache'
|
||
$sharedir = '/opt/puppetlabs/puppet'
|
||
$bindir = '/opt/puppetlabs/bin'
|
||
$server_lenses_dir = '/opt/puppetlabs/puppet/share/augeas/lenses'
|
||
} else {
|
||
$dir = '/etc/puppet'
|
||
$codedir = '/etc/puppet'
|
||
... | ... | |
$vardir = '/var/lib/puppet'
|
||
$sharedir = '/usr/share/puppet'
|
||
$bindir = '/usr/bin'
|
||
$server_lenses_dir = '/usr/share/augeas/lenses'
|
||
}
|
||
$root_group = undef
|
||
}
|
||
... | ... | |
$server_ca_client_whitelist = [ '127.0.0.1', '::1', $::ipaddress ]
|
||
$server_cipher_suites = [ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
|
||
$server_ssl_protocols = [ 'TLSv1.2', ]
|
||
|
||
}
|
manifests/server/augeaslens.pp | ||
---|---|---|
class puppet::server::augeaslens {
|
||
file { "${puppet::server_lenses_dir}/trapperkeeper.aug":
|
||
ensure => file,
|
||
owner => 'root',
|
||
group => $::puppet::params::root_group,
|
||
mode => '0644',
|
||
content => file("${module_name}/lenses/trapperkeeper.aug"),
|
||
}
|
||
}
|
manifests/server/puppetserver.pp | ||
---|---|---|
$server_ca_client_whitelist = $::puppet::server_ca_client_whitelist,
|
||
$server_admin_api_whitelist = $::puppet::server_admin_api_whitelist,
|
||
) {
|
||
require ::puppet::server::augeaslens
|
||
include ::puppet::server
|
||
|
||
$puppetserver_package = pick($::puppet::server_package, 'puppetserver')
|
||
... | ... | |
],
|
||
}
|
||
|
||
$augcmds = $server_ca ? {
|
||
true => ['rm @simple[. = "puppetlabs.services.ca.certificate-authority-disabled-service"]',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-service"] puppetlabs.services.ca.certificate-authority-service',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-service"]/@value certificate-authority-service',],
|
||
default => ['rm @simple[. = "puppetlabs.services.ca.certificate-authority-service"]',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-disabled-service"] puppetlabs.services.ca.certificate-authority-disabled-service',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-disabled-service"]/@value certificate-authority-disabled-service',],
|
||
$ca_enabled_ensure = $server_ca ? {
|
||
true => present,
|
||
default => absent,
|
||
}
|
||
|
||
augeas { 'puppet::server::puppetserver::server_ca':
|
||
context => "/files${server_puppetserver_dir}/bootstrap.cfg",
|
||
changes => $augcmds,
|
||
incl => "${server_puppetserver_dir}/bootstrap.cfg",
|
||
lens => 'Trapperkeeper.lns',
|
||
$ca_disabled_ensure = $server_ca ? {
|
||
false => present,
|
||
default => absent,
|
||
}
|
||
|
||
file_line { 'ca_enabled':
|
||
ensure => $ca_enabled_ensure,
|
||
path => "${server_puppetserver_dir}/bootstrap.cfg",
|
||
line => 'puppetlabs.services.ca.certificate-authority-service/certificate-authority-service',
|
||
}
|
||
|
||
file_line { 'ca_disabled':
|
||
ensure => $ca_disabled_ensure,
|
||
path => "${server_puppetserver_dir}/bootstrap.cfg",
|
||
line => 'puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service',
|
||
}
|
||
|
||
file { "${server_puppetserver_dir}/conf.d/ca.conf":
|
spec/classes/puppet_server_config_spec.rb | ||
---|---|---|
with_content(/^\s+rundir\s+= #{rundir}$/).
|
||
with_content(/^\s+ssldir\s+= #{ssldir}$/).
|
||
with_content(/^\s+reports\s+= foreman$/).
|
||
with_content(/^\s+privatekeydir\s+= \$ssldir\/private_keys { group = service }$/).
|
||
with_content(/^\s+hostprivkey\s+= \$privatekeydir\/\$certname.pem { mode = 640 }$/).
|
||
with_content(/^\s+autosign\s+= \$confdir\/autosign.conf { mode = 664 }$/).
|
||
with_content(/^\s+privatekeydir\s+= \$ssldir\/private_keys \{ group = service \}$/).
|
||
with_content(/^\s+hostprivkey\s+= \$privatekeydir\/\$certname.pem \{ mode = 640 \}$/).
|
||
with_content(/^\s+autosign\s+= \$confdir\/autosign.conf \{ mode = 664 \}$/).
|
||
with({}) # So we can use a trailing dot on each with_content line
|
||
|
||
should contain_concat__fragment('puppet.conf+20-agent').
|
||
... | ... | |
|
||
it 'should add the branch map to the post receive hook' do
|
||
should contain_file("#{vardir}/puppet.git/hooks/post-receive").
|
||
with_content(/BRANCH_MAP = {\n "a" => "b",\n "c" => "d",\n}/)
|
||
with_content(/BRANCH_MAP = \{\n "a" => "b",\n "c" => "d",\n\}/)
|
||
end
|
||
end
|
||
|
spec/classes/puppet_server_puppetserver_spec.rb | ||
---|---|---|
:server_puppetserver_dir => '/etc/custom/puppetserver',
|
||
})
|
||
end
|
||
it { should contain_augeas('puppet::server::puppetserver::server_ca').
|
||
with_changes([
|
||
'rm @simple[. = "puppetlabs.services.ca.certificate-authority-disabled-service"]',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-service"] puppetlabs.services.ca.certificate-authority-service',
|
||
'set @simple[. = "puppetlabs.services.ca.certificate-authority-service"]/@value certificate-authority-service',
|
||
]).
|
||
with_context('/files/etc/custom/puppetserver/bootstrap.cfg').
|
||
with_incl('/etc/custom/puppetserver/bootstrap.cfg').
|
||
with_lens('Trapperkeeper.lns').
|
||
with({})
|
||
it {
|
||
should contain_file_line('ca_enabled').
|
||
with_ensure('present').
|
||
with_line('puppetlabs.services.ca.certificate-authority-service/certificate-authority-service')
|
||
}
|
||
it {
|
||
should contain_file_line('ca_disabled').
|
||
with_ensure('absent').
|
||
with_line('puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service')
|
||
}
|
||
it { should contain_augeas('puppet::server::puppetserver::jvm').
|
||
with_changes([
|
Also available in: Unified diff
use file_line for bootstrap.cfg
Closes GH-385